Anthem's Audit Refusal: Mixed ReactionDenial of Vulnerability Scans Seen as Blunder, or Justifiable
Privacy and security experts are offering mixed reviews of Anthem Inc.'s denial of a government auditor's request to perform vulnerability scans of the health insurer's IT systems in the wake of a hacker attack that affected 78.8 million individuals.
The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem - citing "corporate policy" - refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency.
"Anthem is in a no-win situation on this [most recent] request," says Dan Berger, CEO of security services firm Redspin. "It does appear Anthem has the contractual right to decline the request for an OIG vulnerability scan. But they might want to rethink that. Refusing now looks bad - both to their client OPM and to the public at large."
Security expert Mac McMillan, CEO of the consulting firm CynergisTek, notes: "Usually most companies want to cooperate with the government regulators because, quite frankly, it's in their best interest to do so. Most government contracts provide a provision for the government to conduct an audit if they deem it necessary."
But some other security experts are not surprised that Anthem refused the vulnerability tests.
"In fairness to Anthem, their position may be perfectly well-founded," says Bob Chaput, founder and CEO of Clearwater Compliance. "It's unclear what is precisely meant by vulnerability scans. Ask five people for a definition and receive eight different definitions. External and/or internal technical testing - expanding for the moment to include penetration testing as a way to identify a weakness - can be quite intrusive and disruptive to an organization's operations."
OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, an OIG spokeswoman tells Information Security Media Group. However, under the standard FEHBP contract that OPM has with insurers, insurers are not mandated to cooperate with IT security audits. Sometimes amendments are made to insurers' federal contracts to specifically require the full audits, the spokeswoman says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract.
OIG also notes in a statement: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."
A Common Practice?
David Kennedy, founder of security consulting firm TrustedSec, says it's "very common" for corporations to prohibit or limit external parties from performing vulnerability scans. "Most corporations have sanctioned tests that occur from third parties that perform the same type of testing and go even more in depth," he says. "A vulnerability scan is the most basic form of an assessment and wouldn't have prevented the Anthem breach from occurring. Most corporations will provide a summary of the assessment that was performed to provide to third parties to satisfy them for appropriate due diligence."
Although Anthem's recent refusal of the OIG audit requests might now appear to be a public relations blunder for the company, "I can see Anthem's side too, though," says Redspin's Berger. "A vulnerability scan is always going to find vulnerabilities. They may be concerned that any post-breach vulnerability report will be linked back to the recent breach. In reality, such scans are a 'point in time' assessment; it's unlikely that running a scan in the summer of 2015 would determine conclusively whether the recent breach could have been prevented."
In addition, if a security audit is not mandated by a contract, Chaput says it's probably not that unusual for private entities to refuse such requests from government agencies. "It depends on the nature of the relationship of the parties, the structure of that relationship, sensitivity of information involved, etc.," he says. "For example, is OPM a HIPAA covered entity and Anthem a HIPAA business associate in this relationship?"
Time for Change?
Also, the audit hoopla might even signal a need for OPM to overhaul its contractual practices, Chaput argues.
"In fact, it's quite possible that OPM is in violation of the HIPAA Privacy and Security Rule 'organizational requirements,'" he says. "Did OPM update all BA agreements? Do the terms and conditions of whatever agreements exist meet the requirements set forth in these HIPAA Privacy and Security Rule 'organizational requirements' to receive satisfactory assurances that this PHI and other sensitive information would be safeguarded?"
The government should negotiate stronger security protections into their contracts with insurers, Berger suggests. And that could include third-party vulnerability scans, whether conducted by OIG or others.
But McMillan of CynergisTek says Anthem's refusal of OIG's request could potentially provoke even more scrutiny by other government regulators or perhaps even legislative proposals from Congress.
Anthem likely already faces an investigation by the HIPAA enforcement agency, the Department of Health and Human Service's Office for Civil Rights, which investigates health data breaches and has the power to issue settlements that include financial penalties.
"Whether it is appropriate or allowed under [Anthem's] current contract or not - refusing a test right after a breach of this magnitude is enough to make some people say there needs to be greater accountability," McMillan says.
Ironically, Chaput says that by denying the vulnerability tests by OIG, Anthem could be actually taking extra precautions in protecting PHI. "With over-the-top issues of government surveillance of U.S. citizens, Anthem might be thought of as having implemented a reasonable and appropriate administrative control - i.e. their 'corporate policy' to safeguard information with which it has been entrusted," Chaput says. "In the HIPAA Privacy Rule, there are standards and implementation specifications in which PHI, for example, is required to be disclosed to the Secretary of HHS. Since this technical testing could result in a disclosure of PHI, PII or other sensitive information, under what standard is OPM OIG invoking a right of potential disclosure?"
Kennedy adds that when he worked for ATM security vendor Diebold, "we never let anyone scan us. However we would always have reputable third parties perform assessments on us on a regular basis and provide those upon request when an organization wanted to evaluate our security."
Anthem did not respond to ISMG's request for comment.